Saturday, February 23, 2008

P2P Control in Enterprises - What to look for in security devices?

P2P application popularity has been soaring. They are mainly meant for sharing files - Audio, Video and date files. Due to sharing of copyrighted files, there has been multiple law suites on P2P software providers and p2P users. Still the popularity continue to raise. Now, audio/video distributors are using p2p mechanism for marketing purposes. Some of Linux OS distributors are using P2P applications for downloading Linux images. So, it appears that P2P application is being adopted for businesses as well.

One of the main advantages of P2P is its low cost of distribution: P2P uses distributed delivery mechanism. Big file is divided into smaller pieces and they get distributed. User P2P application downloading these files will provide upload service there by making distribution network bigger day by day. P2P client downloads multiple pieces from different locations and combine them together to create original file. Original distributor site is less loaded due to inherent distribution capability of P2P applications.

Due to its low cost of delivering content to multiple users, this became play ground for distributing illegal copies and became kind of social networking tool where group of people share and distribute big size files containing audio/video and data content.

Some of popular P2P applications are:
  • AppleJuice
  • Ares: Ares, KCEasy the applications that use Ares protocol.
  • Bit Torrent Protocol: This protocol is implemented by many applications such as Azureus, BitTorrent, BitComet, Mu-Torrent , Shareaza and many more.
  • DirectConnect
  • eDonkey Protocol: eMule-Plus, xMule, aMule. Shareaza use this protocol.
  • FastTrack protocol: kazaa-lite, Shareaza, Kceasy use this protocol.
  • Freenet
  • Gnutella: Bearhare, Limeware, Gnuclues, iMesh and may applications use this protocol.
  • iMesh
  • Monolito
  • WinMX
  • Winny
Many one-click hosting providers provide content directly on their site for download. They include rapidshare, megaupload, youtube etc..


P2P applications are increasingly being used in Enterprise networks for personnel use. Some times, these P2P machines become super nodes where they become distribution point for some content, some times with the knowledge of user and some times inadvertently. These put strain on Enterprise WAN links. Also, it reduces employee productivity as they get hooked into these tools.

Enterprises are looking for ways to detect P2P applications and control them either by blocking the traffic or by limiting the traffic. Enterprise requirements are summarized as below.

  • Enterprises might need to allow some P2P applications as part of their business.
    • Enterprise might host P2P distribution servers to distribute their content.
    • Enterprises might allow some of their Employees to use some P2P applications for business use.
  • Enterprises might need to control bandwidth used by different P2P applications.
  • Enterprises might have different requirements of access control and rate control based on time-of-the day or day of the week.
In essence, Enterprises look for solutions which detect different kinds of P2P applications and throttle or block traffic. Enterprises are increasing looking at Network based security devices to provide this capability so that they can control at one central place.

What is the feature set Enterprise need to look for in security devices providing this function? Before this question is answered, it is better to know the inner workings of p2p applications.

Some of attributes of p2p applications from detection perspective:

  • Port hopping: P2P applications came long way. Initial version of P2P applications used to use fixed set of ports. It was easy to detect them and block them. P2P application developers improved their applications/protocols to use any port that is opened by local firewall. They even use Port 80 and Port 25 which are standard ports for HTTP and SMTP. Almost all P2p protocols use port hopping. So, detection of these application by port number is no longer sufficient.
  • Obfuscations - Using Encoding techniques: Due to port hopping nature of P2P applications, security device vendors started detecting the P2P applications by observing content patterns in all connections. Each P2P application can be recognized by certain pattern. Security device vendors provide these patterns as signature rules. This was very effective and continue to be effective. With popularity of these methods, P2P application developers started using encoding mechanisms to bypass detection by pattern match. Some of the examples are : Winny, Ares Galaxy and Skype.
  • Obfuscations - Using standard protocols with encryption : Security vendors started devising techniques to detect encoded connections by applying decoding logic before matching the patterns. Engineers did reverse engineering on some of the protocols or by understanding open source code of these applications. To thwart this, some P2P applications such as BitTorrent adopted encryption and making use of standard ports. BitTorrent started using HTTP for file transfer and SSL for encryption.
  • One Click File hosting providers: Almost all of them provide file share using HTTP protocol. So, detection should happen on HTTP protocol.
From above description, you can observe that it is a catching game for both security vendors and p2p application developers.

My observation as of now is that many P2P applications can be detected by content pattern matching. Some applications require decoding before matching.

What is it one need to look for in security devices claiming to be detecting P2P applications:
  • Just don't look for literature on application supported by the device. Ask questions. How is it being detected? How well it can add signatures to detect future versions of applications.
  • Look for flexibility of application detection signatures.
  • Look for application support which require decoding
  • Look for HTTP protocol intelligent keyword support in signatures to detect one click hosting providers. Without HTTP application intelligence, there could be many false positives.
  • Look for system that has ability to do SSL decryption (Proxy based or inline passive scanning).
  • Look for detection capability which spans across connections: P2P applications which are encrypted can successfully be detected by doing scanning across connections. Note that many P2P applications have handshake connections and data connections. By combing for a pattern across these connections, many P2P applications can be detected.
  • Look for traffic anomaly: Some P2P applications can't be detected by pattern match or can't be decrypted. In those cases, look for anomaly in the traffic with respect to number of connections made, detecting the connection rate, byte rate etc.. Though one can't pin point actual p2P application, it provides enough hints on who might be running p2P applications.
  • Always look for capability to block the P2P application traffic and/or rate limit the traffic on per IP address basis and schedule basis thus providing control for Enterprises on who can use which P2P application(s) and at what time of the day.

No comments: